Undx released

Download undx, the tool to reconstruct Dalvik applications, here

Date : 05/22/09

Author: Marc Schoenefeld

Hardening OSX against CVE-2008-5353 (aka java-apple-wontfix)

This has been fixed, no longer need for action!

In the following paragraphs you learn about a DIY approach to fix the JDK on OSX against CVE-2008-5353

Get the src.zip of a recent non-OSX java distribution (like Sun Java 5/JDK 1.5.0_19 for Linux)
unzip src.zip java/util/Calendar.java
javac java/util/Calendar.java
zip /somepath/FixedCalendar.jar java/util/Calendar*.class
Inside Finder goto Utilities / Java / J2SE 5.0 / Java Preferences
Set Java-Applet-Runtime-Parameter to -Xbootclasspath/p:/somepath/FixedCalendar.jar
Start up a browser, browse to http://www.java.com/en/download/help/testvm.xml, see the dancing duke, open Java Console, press s, you should now see FixedCalendar.jar in the sun.boot.class.path
If you are brave, try the PoC exploit on http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html , it should give you a bootstrap failure now

Get the src.zip of a recent non-OSX java distribution (like Sun Java 5/JDK 1.5.0_19 for Linux)
unzip src.zip java/util/Calendar.java
javac java/util/Calendar.java
zip /somepath/FixedCalendar.jar java/util/Calendar*.class
In ~/Library/Caches/Java/deployment.properties set option deployment.javapi.jre.1.5.0.args=-Xbootclasspath/p:/somepath/FixedCalendar.jar
Start up a browser, browse to http://www.java.com/en/download/help/testvm.xml, see the dancing duke, open Java Console, press s, you should now see FixedCalendar.jar in the sun.boot.class.path
If you are brave, try the PoC exploit on http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html , it should give you a bootstrap failure now

Note 1: Your JDK is not original anymore, but it is a bit more secure now

Some slides on Serialization flaws (shameless plug):

A set of funny remote effects of the serialisation API was discussed first time at Bellua 2005:

And again here with some more examples: